From a5c8f1e9c5d1faa3f42d92bea45f1a2e02b222c2 Mon Sep 17 00:00:00 2001
From: Khue Doan <mail@khuedoan.com>
Date: Sat, 6 Jan 2024 02:07:58 +0700
Subject: [PATCH] feat(kanidm): add script for user onboarding

---
 scripts/onboard-user | 13 +++++++++++++
 scripts/setupkanidm  | 22 ----------------------
 2 files changed, 13 insertions(+), 22 deletions(-)
 create mode 100755 scripts/onboard-user
 delete mode 100644 scripts/setupkanidm

diff --git a/scripts/onboard-user b/scripts/onboard-user
new file mode 100755
index 00000000..c76e02d9
--- /dev/null
+++ b/scripts/onboard-user
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+username="${1}"
+fullname="${2}"
+mail="${3}"
+
+host="$(kubectl get ingress --namespace kanidm kanidm --output jsonpath='{.spec.rules[0].host}')"
+
+kanidm person create "${username}" "${fullname}" --url "https://${host}" --name idm_admin
+kanidm person update "${username}" --url "https://${host}" --name idm_admin --mail "${mail}"
+# TODO better group management
+kanidm group add-members "editor" "${username}" --url "https://${host}" --name idm_admin
+kanidm person credential create-reset-token "${username}" --url "https://${host}" --name idm_admin
diff --git a/scripts/setupkanidm b/scripts/setupkanidm
deleted file mode 100644
index 7e72803f..00000000
--- a/scripts/setupkanidm
+++ /dev/null
@@ -1,22 +0,0 @@
-# TODO Do not run this script directly, it only serves as documentation,
-# Proper automation will be added later, waiting for client library update:
-# https://github.com/kanidm/kanidm/pull/2301
-
-./scripts/kanidm-reset-admin-password
-# copy password manually
-kanidm login -D admin
-kanidm service-account credential generate -D admin idm_admin
-# copy password manually
-kanidm login -D idm_admin
-
-kanidm person create khuedoan "Khue Doan" --name idm_admin
-kanidm person update khuedoan --mail "mail@khuedoan.com"
-kanidm group create demo_group --name idm_admin
-kanidm group add-members demo_group khuedoan --name idm_admin
-kanidm person credential create-reset-token khuedoan --name idm_admin
-
-kanidm system oauth2 create dex Dex https://dex.khuedoan.com/callback
-kanidm system oauth2 show-basic-secret dex
-# add secret to k8s manually
-kanidm system oauth2 create-scope-map dex demo_group openid profile email groups
-kanidm system oauth2 warning-insecure-client-disable-pkce dex